Re: Firewall for use with cable modem?
Gary Hennigan wrote:
>
> Manegold <manegold@uni-trier.de> writes:
> > ktb wrote:
> > >
> > > On Wed, Dec 20, 2000 at 12:02:14AM +0000, Phillip Deackes wrote:
> > > > I have spent much of the day getting more and more confused about
> > > > firewalls and Linux. I am having a cable modem installed soon and want my
> > > > system to be secure. I have only the one computer, and am running Woody.
> > > >
> > > > Is there a free (or low-cost) firewall which will work on Debian? I don't
> > > > feel confident enough to be messing with ipchains and such. I had a look
> > > > at Storm Firewall, but this is expensive at 99USD and seems way over the
> > > > top for what I would need on a single workstation.
> > > >
> > > > I downloaded gfcc, but don't understand what to do with it. I have read
> > > > the Firewall HOWTO but I really don't grasp much of it. I am embarassed to
> > > > admit that I really want an out-of-box solution - something I can install
> > > > and perhaps tweak a little as I get more confident. I don't do anything
> > > > out of the ordinary on the Internet, just the usual mail, news and web. I
> > > > occasionally use ReadAudio and ftp, but not a lot else.
> > > >
> > > >
> > > Install something like "pmfirewall" or "seawall." I've used
> > > pmfirewall before and it is simple to set up. Basically what
> > > these two scripts do is write ipchains rules for you based on
> > > some of the questions you answer. I don't have any urls' handy
> > > but they should be easy to find. After installing your chains
> > > take a look at them and learn from them. One other thing you
> > > might think about is getting a cheap or free 486 and make it
> > > your firewall.
> > > hth,
> > > kent
> >
> > I used pmfirewall too, but the problem with it is, that it only blocks
> > certain things it knows about. The default stand is allow (!). In my
> > opinion that is not so good. It should be deny unless the port is
> > explicitly opened up. I think that this would be possible via a script
> > setup too and much better. I don't know "seawall". Maybe that does it
> > better.
> > However, if you don't want to learn at least something about ipchains
> > and some basics about what a firewall can do, then maybe it is ok. But
> > then you will not know, how much security you got.
>
> I think you may be mistaken on this point. The policy PMFirewall
> defaults to is ACCEPT but, at least on my installation, the last rule,
> in my input chain, is:
Yep the policy is ACCEPT.
> target prot opt source destination ports
> .
> .
> .
> DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
>
> I'm no ipchains expert, but I believe that this rule implies that if
> none of the previous rules caused the packet to be accepted it'll be
> denied here.
I would not call myself an ipchains expert either. I'm still learning
that firewall stuff myself.
>
> Now personally in addition to leaving the rule above as the last one
> in my input chain I set the policy to DENY, just as a precaution,
> but, I *think*, it's redudant given the rule above.
>
Well I had someone portscan me from outside and he found a number of
ports not blocked, even though I opted to have only SSH open during
setup. Don't know why that was, but it's not good. Therefore I went
ahead and did a setup with policy on DENY. For learning pmfirewall
served me well though.
> And of course the nice thing about a script approach like PMFirewall
> is that it's easy to modify as you learn more about ipchains.
Yes as above, but sometimes it's better to know that you don't have the
security of a packet filter than to be mistaken about the level of
securtiy you really have.
Greetings
Thorsten Manegold
Reply to: